Analysis

  • max time kernel
    124s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 21:16

General

  • Target

    Shipping Document PL&BL Draft.exe

  • Size

    277KB

  • MD5

    9e944f39542cf55c8cd0513307c507e3

  • SHA1

    5dc457b12d42e9a91ba4ef70bbbf35494399cef7

  • SHA256

    4a5d34fcda47700161c2fbc4ee64713e81e563d04e319b7a48e52d778e70e4b7

  • SHA512

    469a7478e8d0957ca8bceed0a0f8f6dc028c8ec78e87a9212288974cdf5f752845a6d547dd27649ae2d022226cd53b37d17e2e78c3847da2dc5c7a4c34ec95ef

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1900836728:AAEDyoYbBJwtt1EA4hdgRlGTN1cq760KPNU/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsf1104.tmp\psonqtuo.dll

    MD5

    4e4a9b4272db28101d5e6cf7e7368602

    SHA1

    ddc50b6b2faf4ee923c097be2758f327b501792f

    SHA256

    4b3dd1a214d3b1cf8fa9b9cdcffa76fb1823411db3e0bffc6c5a0ac356466530

    SHA512

    120b86016789f37833e397155930c700e7fd3531d58a8e557691360bb2a1600fa5279099b1ce073a57139ffe157d9dc1d2037a5051eb38d5a0cab26ad5b88924

  • memory/2328-116-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2328-117-0x000000000040188B-mapping.dmp

  • memory/2328-118-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2328-119-0x0000000002160000-0x0000000002196000-memory.dmp

    Filesize

    216KB

  • memory/2328-121-0x00000000048B0000-0x00000000048B1000-memory.dmp

    Filesize

    4KB

  • memory/2328-122-0x00000000048B2000-0x00000000048B3000-memory.dmp

    Filesize

    4KB

  • memory/2328-123-0x00000000048C0000-0x00000000048C1000-memory.dmp

    Filesize

    4KB

  • memory/2328-124-0x00000000048B3000-0x00000000048B4000-memory.dmp

    Filesize

    4KB

  • memory/2328-125-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

    Filesize

    4KB

  • memory/2328-126-0x00000000048B4000-0x00000000048B5000-memory.dmp

    Filesize

    4KB

  • memory/2328-127-0x00000000057B0000-0x00000000057B1000-memory.dmp

    Filesize

    4KB

  • memory/2328-128-0x00000000057E0000-0x00000000057E1000-memory.dmp

    Filesize

    4KB

  • memory/2328-129-0x0000000005A20000-0x0000000005A21000-memory.dmp

    Filesize

    4KB

  • memory/2328-130-0x0000000000540000-0x0000000000541000-memory.dmp

    Filesize

    4KB